Uber has suffered a data breach that has allowed a hacker to gain access to vulnerability reports and internal systems. The hacker sent screenshots of email, cloud storage, and code repositories to cybersecurity researchers and The New York Times, indicating that they have full access to many critical Uber IT systems, including the company’s software and Windows domain. The threat actor gained access to the company’s internal systems using stolen credentials. Uber is currently working with law enforcement to respond to the incident. Cyber experts shared their insights on the attack, many citing that VPN and MFA-based attacks are becoming all too common. Ian McShane, Vice President, Strategy, Arctic Wolf
"Uber is renowned for having some of the best cybersecurity in the business so the fact they have been compromised points to what we should all know, nobody’s perfect and even the best managed security organizations can be compromised. The key is how quickly you respond and mitigate the issue which they appear to have done here.
While no official explanation has been provided yet, someone claiming to be the attacker explains that initial access was gained through social engineering - contacting an unwitting Uber staff member, pretending to be tech support and resetting their password. Then the intruder was able to connect to Corporate VPN to gain access to the wider Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share.
This is a pretty low-bar to entry attack and is something akin to the consumer-focused attackers calling people claiming to be MSFT and having the end user install keyloggers or remote access tools. Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort, it looks like they did it “for the lulz”.
Attacks that make use of insider threats and compromised user credentials continue to grow – by 47% according to the 2022 Ponemon Institute report and it’s proof once again that often the weakest link in your security defenses is the human. It is therefore critical that you manage that risk by running regular training and security awareness sessions while running around-the-clock monitoring, detection, and response, as well as other security operations solutions to reduce risk and keep your organization protected." Francisco Donoso, Vice President, Security Strategy and Platforms at Kudelski Security "The threat actor in last night’s Uber hack seemed to gain initial access via employee VPN and seemed to be able to bypass MFA by abusing the push mechanism to “annoy” users into accepting MFA push prompts. This method is becoming increasingly more common, even being used in the recent Twilio and Cisco attacks. Organizations should consider training their employees about these MFA constant request tricks and tell them to notify InfoSec immediately in the event of suspicious activity. The single most effective way to prevent these types of bypasses altogether, however, is to leverage MFA number matching to authenticate requests.
Once the attacker gained access to Uber’s servers, it seems like they scanned the internal network and found a PowerShell or automation script with hard-coded credentials that provided the attacker with access to Uber’s Privileged Access Management (PAM) system. Once an attacker has full access to an organization's PAM, they likely will have full access to your entire IT environment including cloud, SaaS, and on-premises systems.
Attacks of this kind are not going away any time soon; in fact, they will likely grow in frequency. Organizations should consider conducting a tabletop exercise with this exact scenario so they can plan how they’d respond, communicate with employees, and recover if a threat actor had full admin access to all their infrastructure, cloud, and SaaS providers– including those used for employee chat and email." Josh Yavor, CISO, Tessian "This is yet another example of what attack after attack has shown: social engineering is the predominant way that companies fall victim to breaches, and adversaries know it works. While too early to be confident about details regarding the details of the attack, one point is clear: weak multi-factor authentication deployments are leaving large organizations that are attractive targets vulnerable to major attacks.
This is not to say that MFA doesn’t work. In this and other recent cases, attackers targeted an employee with techniques and tools to bypass MFA. We’re seeing an increased availability of free and accessible attacker tooling, which helps automate phishing and bypass of weaker MFA factors including push notifications. This in turn is leading to more compromises where attackers make MFA requests that trick the victim into approving access for the attacker.
In order to reduce the risk of these attacks, it’s critical that companies realize that not all MFA factors are created equal. Factors such as push, one-time-passcodes (OTPs), and voice calls are more vulnerable and are easier to bypass via social engineering. Security key technology based on modern MFA protocols like FIDO2 have resiliency built into their design, and we need to increase the adoption and use of these phishing-resistant factors globally. Finally, further defense in-depth is necessary to reduce the impact of MFA bypass events. Even with the best technology deployed, strategies to guard against MFA bypass are necessary, including the use of secure-access policies that enforce further device-based requirements before providing access. These types of secure access policies increase the complexity and cost of the attack, and give security teams more chances to detect and respond.
It’s also noteworthy that various types of attackers (“sophisticated” hacking groups to individual teenagers) are using these techniques. This further reinforces that attackers will reliably use techniques that work and are low cost. No matter the size or budget of the adversary, they will always use the easiest and most cost-effective methods to compromise their targets. That’s why we keep seeing the same tactics play out regardless of the adversary or victim: adversaries know that people can be tricked into giving up their passwords, weak MFA is prevalent, and the tools to exploit this are free and relatively easy to use." Keith Neilson, Technical Evangelist at CloudSphere "High-profile enterprises entrusted with large volumes of sensitive customer data have a responsibility to establish strict guardrails around access management. For organizations today, basic password protection just isn’t enough to ensure proper identity access management and security of all cyber assets. Malicious attacks of this magnitude illustrate the need for businesses to extend their focus beyond just password best practices – they must prioritize secure access and next-generation authentication. Developing new and improved alternatives to password management begins with the implementation of a robust cyber asset management strategy.
In the context of this incident, the most important thing to consider is that companies have no way of remediating what they cannot see. Given the multi-layer implications between data, assets, applications, and users, companies can only begin to enforce identity and password management policies when they secure full visibility of their attack surface. Hence, the first step to an effective cyber asset management strategy is taking inventory of all cyber assets hosted within the company’s IT estate. Once all assets are accounted for, enterprises can adopt and enforce more advanced authentication methods and security guardrails. Without this integration, passwords will continue to be used as a fallback, leaving valuable data vulnerable to attacks."
Samantha Humphries, Head of Security Strategy EMEA at Exabeam
“This coordinated social engineering attack - on such a large and established organisation - is sadly not the surprise that it may have been a few years ago. What seems to be clear at this stage is it’s a credentials-based attack - malicious use of an employee’s legitimate password. This is far from rare; in fact, a 2022 report found that insider threat incidents have risen 44% over the past two years.
Almost all of the high-profile breaches we see in the news involve attackers leveraging stolen user credentials to gain access to sensitive data. Insiders with access to privileged information represent the greatest risk to a company’s security. This kind of threat can be much harder to detect. After all, an attacker with valid credentials looks just like a regular user. This presents one of the most significant challenges for security teams.
Sadly, this is unlikely to be the last time we’ll see this type of breach. Failure to adapt security operations to detect and mitigate credential-based attacks will continue to have serious consequences.
Whilst there are already many details being shared by the purported attacker, the wider implications of this breach are still unknown. However, for Uber’s incident responders, it is certain that they have had better days in the office, and my heart absolutely goes out to them.”
Arti Raman (She/Her), CEO & Founder, Titaniam
"Uber is the latest in a string of social engineering attack victims. Employees are only human, and eventually mistakes with dire consequences will be made. As this incident proved, despite security protocols put in place, information can be accessed using privileged credentials, allowing hackers to steal underlying data and share them with the world.
The gig economy provides people the opportunity to be their own boss, and choose how and when they want to work in a way that fits their lifestyles. It has also revolutionized the way we use public transportation and has allowed for unprecedented mobility and convenience. We use these apps and trust them with our personally identifiable information. What has become an alarming reality is that these data-intensive apps are a perfect target for hacker groups because of the rich environment of valuable data that is out in the open, ripe for attack.
Gig economy enterprises, as well as other data intensive enterprises can now take comfort knowing that the modern security toolbox contains encryption-in-use. Encryption-in-use, also known as data-in-use encryption, makes it possible for valuable data to be sliced and diced without decryption. This means that even if attackers get in via privileged credentials and access treasure troves of data, they cannot leave with unencrypted data. This makes encryption-in-use among the most effective solutions for keeping customer and company information safe and minimizing the risk of extortion. Encryption-in-use provides enterprises with unmatched immunity to data-focused cyberattacks. Should adversaries gain access to data by any means, data-in-use encryption keeps the sensitive information encrypted and protected even when it is actively being utilized. This helps neutralize all possible data-related leverage and dramatically limits the impact of a data breach.”
Neil Jones, Director of Cybersecurity Evangelism at Egnyte
"The cyberattack on Uber is a stark reminder that we need to employ a consistent "Trust but Verify" approach to IT security, and that organizations' cybersecurity programs are only as strong as their weakest links. Here, we see how advanced social engineering and spear-phishing tactics can lead to exfiltration of sensitive documents and ultimately impact a brand's reputation. We also see the critical importance of vetting bug bounty hunters' backgrounds carefully, and keeping vulnerability findings from bug bounty programs isolated and private, since a disgruntled bounty partner can be a worthy adversary.
In addition to general cybersecurity awareness training, penetration testing and anti-phishing education are powerful deterrents to such attacks. We can anticipate that organizations which collect the trifecta of private information - Personally Identifiable Information (PII), credit card data and user's behavioral patterns like ride history - will become the epicenter of future cyberattacks. You need to have a plan in place for that inevitability."
Jyoti Bansal, Co-founder and CEO at Traceable AI
"The days of preventing malicious activity with preventative measures like firewalls are long gone. Bad actors will find a way to get to what is not accessible. This was apparent on the recent attack on Uber - where a hacker gained access to vulnerability reports and took screenshots of internal systems which were confidential. Until a remedy is available - malicious actors will not stop in using private information as a weapon.
Companies like Uber can combat this by keeping an eye on system activity. Utilizing adaptive techniques that create a baseline of how users interact with a network and can identify odd behavior, which might be a sign of a malicious attack. Today, prevention has a place, but in order to reduce the impact of breach attempts, it must be backed up by threat detection and action. API observability, monitoring, and rate-limiting are crucial for enterprises since APIs play a significant part in giving attackers an access route.
We need to stop relying on 20th century technologies to fight 21st century problems.”
Tim Prendergast, CEO, strongDM
"If the increased frequency of malicious hacks and breaches teaches us anything, it's that no company or individual is immune from becoming a victim. The incident at Uber is just another illustration of how dangerous it is to put infrastructure credentials into the hands of your staff. Valid credentials are essentially VIP passes into databases, servers, and anything else that companies don't want shared publicly. Organizations must adopt modern security and access practices, such as removing credentials completely from the equation. That's the only way to prevent these types of breaches in the future." Saryu Nayyar, CEO, Gurucul "Well, looks like Uber's been taken for a ride - and this is a ride they will pay for dearly. All it takes is one successful compromise to circumvent most preventive controls and this attacker used the most accessible and simple technique of social engineering to take over a valid Uber user account.
What is required is a stronger detection program that also monitors for and identifies risky access controls, entitlements and user behaviors, and associated abnormal or deviant activity. This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks."